Catapult Privacy Policy

1. Who we are

This site and the Catapult service are operated by Activo Nutrition LLC, a Delaware limited liability company with an address at 8 The Green, Suite 5785, Dover, DE 19901, USA, operating under the brand Catapult ("Catapult," "we," "us," "our"). Founder and contact: Bas Rijksen.

Where the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / CPRA (CCPA), or the EU AI Act applies to a visitor or prospect, we honor those protections. Where any law gives a person more protection, that stronger protection governs.

This policy explains what personal data we collect, why, the legal basis for it, who we share it with, how long we keep it, how we secure it, and the rights you have.

2. The two stages of Catapult, and why they matter for your data

How we handle data depends entirely on which stage you are in. The two stages are very different, and we keep them separate on purpose.

Stage 1: the free Scale Audit (no account access, ever). Before any engagement, a prospect can request a free Scale Audit. We build it from public information plus what you type into our form. We do not connect to, log into, or read any of your private accounts at this stage. We do not access your Meta Business Manager, your Shopify admin, your ad account, or your customer records. If anything ever implies the audit needs account access, that is wrong: it does not.

Stage 2: the paid engagement (read-only account access, only after you sign). If you sign a Catapult agreement, and only then, you grant us read-only access to your Meta and Shopify accounts so the engine can build and measure creative. This is the stage where we process personal data belonging to your customers, and it is governed by the data-protection terms in your signed client agreement, in which you are the data controller and we are your processor. See Section 6.

3. What data we collect, and why

3.1 Stage 1: Free Scale Audit

What we collect	Where it comes from	Why
Your name, business name, email, and any contact details you enter	You, via our audit form	To send you the audit and follow up about it
The business numbers you type into the form (for example, ad spend, average order value, conversion figures, product and offer details)	You, via our form	To build a relevant audit for your brand
Your public website content and public customer reviews	Publicly available web pages	To understand your product, positioning, and customer language
Your live ads as shown in the Meta Ad Library (a public Meta tool)	Public Meta Ad Library	To analyze the creative you are already running publicly
Standard website/usage data (IP address, browser type, pages viewed, basic analytics)	Automatically, when you visit our site	Site operation, security, and aggregate analytics

We do not collect special-category data at this stage, and we ask you not to enter it. The audit form is for business numbers, not personal or sensitive information.

3.2 Stage 2: Paid engagement (after signing only)

Once you are a signed client, with your authorization, we receive read-only access to:

What we access (read-only)	Source	Why
Meta ad performance and Pixel data	Your Meta Business Manager, via standard API, read-only	To measure creative performance and the guarantee metric
Shopify orders, products, and customer records	Your Shopify store, via standard API, read-only	To measure real store revenue and tie results to the creative we run

The Shopify access is the important one for privacy. Your customer order records contain personal data about your customers (for example names, email addresses, shipping addresses, and order history). That data belongs to your customers, you are the controller of it, and we process it only on your behalf and only to build and measure creative. We never use it to contact your customers, never sell it, and never share it. This is governed by your client agreement. See Section 6.

We never receive your passwords. We never get admin access. No one on our side becomes a named user who can spend, publish, or change anything. Access is read-only, through standard professional API paths, and you can revoke it in one click at any time.

4. Legal basis for processing (GDPR Article 6)

We rely on these lawful bases:

Contract (Art. 6(1)(b)). Processing the form data you submit and, after signing, the account data needed to deliver and measure the service you contracted for.
Legitimate interests (Art. 6(1)(f)). Analyzing public information (your website, public reviews, public Meta Ad Library ads) to prepare a relevant audit, and basic site security and analytics. We balance this against your rights and limit it to what a business reasonably expects when it requests a competitive audit.
Consent (Art. 6(1)(a)). Where we send marketing emails or use non-essential cookies, we rely on your consent, which you can withdraw at any time.
Legal obligation (Art. 6(1)(c)). Keeping records we are required to keep (for example, tax and accounting records).

For the customer personal data inside your Shopify store (Stage 2): you, the client, are the controller and hold the lawful basis for that data toward your own customers. We act as your processor under GDPR Article 28, processing it only on your documented instructions, as set out in your client agreement.

5. Sub-processors (the vendors that help run the engine)

We use a small set of vetted vendors ("sub-processors") to operate the service. Each handles only the data needed for its function. Your data is siloed per client. It is never shared across clients, and we never use your data to train or improve our own models or systems, or any model across clients.

The most important thing to understand about the AI render vendors: they receive only the creative brief (scripts, brand assets, reference media), never your customers' personal order data. Your customers' order data is read only by us, only to measure the win on your own dashboard, and it never reaches a render tool.

Sub-processor	What it does	Data it touches	How your data is handled
AI language-model provider	AI reasoning / language for the engine	Audit and engagement text data, never customer order records	Operates under the provider's standard commercial terms. Not used by us to train our own systems
Advertising-library data provider	Retrieves public ad-library data	Public Meta Ad Library ad data only	No personal client account data
AI media-generation providers	Render AI video / static creative	The creative brief only (scripts, brand assets, reference media), never your customers' personal order data	Operate under their own standard commercial terms. Customer PII never reaches them
Cloud hosting and database	Hosting, encrypted access-token storage, and the client delivery dashboard	Stored engagement data, encrypted access tokens, and the finished creative + your review notes you see in the Deck	Infrastructure. Not used to train anything
Payment processor	Billing and payments	Your billing contact + payment data	PCI-compliant payments processor
Email delivery provider	Transactional and engagement email	Your name + email address	Email delivery. Not used to train anything

What "we don't train on your data" honestly means. We do not use your data to train or improve our own models or systems. Your data is siloed per client and never used to benefit another client. The outside AI tools above each operate under their own standard commercial terms, and we only ever send them the creative brief, never your customers' personal order data. We do not promise to control how a third-party tool handles the brief content under its own terms, which is why we are specific about exactly what each vendor receives.

We keep this list current and will give notice before adding or replacing a vendor that processes your personal data.

6. Your customers' data: controller vs processor

For the customer personal data we read from your Shopify store during a paid engagement:

You are the controller. It is your customers' data, collected by you, under your privacy notice and your lawful basis.
We are the processor. We process it only on your behalf, only to build and measure creative, and only as your written instructions in the client agreement allow.

The full terms, including purpose limitation, security, breach notification, and deletion, live in your signed client agreement. This Privacy Policy describes our own role. The client agreement governs the processor relationship.

7. Data siloing and no-train commitment

Per-client silo. Each client's brand voice, customer intelligence, creative, and data are kept separate. One client's data is never visible to, blended with, or used for another client.
We do not train our own systems on your data. We do not use your data to train or improve our own models or systems, and we do not pool client data to train a shared model. The outside AI tools we use operate under their own standard commercial terms and receive only the creative brief, never your customers' personal order data (Section 5).
Purpose limitation. Engagement data is used only to build and measure your creative, never for unrelated purposes.

8. How long we keep data, and deletion

Audit-stage form data and public-research data: kept while we are in contact about an audit or a possible engagement, then deleted or anonymized within 12 months if no engagement follows, or sooner on request.
Engagement data (including read-only account data and customer records): kept for the life of the engagement. On termination, we delete your brand and customer data from our active systems within 30 days, except minimal records we must keep for tax, legal, or dispute reasons, and routine backups that age out on their normal cycle. Anything retained stays under the same no-train and confidentiality terms.
Access tokens: stored encrypted (Section 10) and destroyed when you revoke access or the engagement ends.

You can ask us to delete your data at any time (Section 9).

9. Your rights

Depending on where you live (GDPR for the EU/EEA, CCPA/CPRA for California, and similar laws elsewhere), you have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Erase your data ("right to be forgotten").
Restrict or object to certain processing, including direct marketing.
Port your data to another provider where applicable.
Withdraw consent at any time, where we relied on consent.
Not be discriminated against for exercising CCPA rights, and to know we do not sell or "share" personal data for cross-context behavioral advertising.

For your own customers' data inside your Shopify store: because you are the controller, a data-subject request from one of your customers should go to you. If we receive one directly, we will promptly forward it to you and assist you in responding, as your client agreement requires.

To exercise any right, email bas@catapultscale.com. We respond within the timeframe the applicable law requires (for GDPR, normally within one month). We may ask you to verify your identity first, so we do not hand your data to the wrong person.

10. Security

Encryption of access tokens. The read-only access tokens you grant are stored encrypted, not in plain text.
Read-only by design. We hold read-only credentials only. We cannot spend, publish, or change anything in your accounts.
One-click revocation. You can revoke our access at any time, instantly.
Per-client isolation. Data is siloed per client, as described in Section 7.
Vetted vendors. Sub-processors are limited to those listed in Section 5, each handling only the data its function requires.

If a data breach affecting your customers' personal data ever happens, we will tell you without undue delay and help you meet your own legal deadlines, as your client agreement sets out.

11. AI-generated content and the EU AI Act (Article 50 disclosure)

Catapult produces AI-generated and AI-assisted video creative, including synthetic presenters and AI-generated audio. Under the EU AI Act, Article 50, content that is artificially generated or manipulated (so-called "deepfake" or synthetic media) must be disclosed as artificially generated to the people who see it.

What this means in practice:

We disclose to you, the client, that the creative we deliver is AI-generated or AI-assisted. It is, and we never imply a real, identified human endorser where there is not one.
The platform-level disclosure (for example, Meta's AI-content label) is applied at publish. Because you are the advertiser of record and you publish the ad, you are responsible for enabling the AI-content disclosure that Meta and applicable law require. We will tell you which ads need it.
No biometric voice or face cloning of real people. Voices are licensed synthetic voices. We do not clone a real, identified person's voice or face, so no biometric data of a real person is taken for that purpose.

12. Cookies and analytics

We use essential cookies to run the site and, with your consent, non-essential cookies for analytics. You can manage non-essential cookies through our cookie banner or your browser settings.

13. Changes to this policy

We may update this policy as the service evolves or the law changes. We will post the updated version with a new "last updated" date, and for material changes affecting clients, we will give notice as your client agreement and applicable law require.

14. Contact

Questions, requests, or concerns about your data:

Bas Rijksen, Activo Nutrition LLC (operating as Catapult) Email: bas@catapultscale.com Postal: 8 The Green, Suite 5785, Dover, DE 19901, USA

v0.3, effective 2026-06-24. We review and update this policy as our business grows and as the law evolves. Not legal advice.